From patchwork Mon Aug 2 22:00:31 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: stephen hemminger X-Patchwork-Id: 60686 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 0C72FB6EDF for ; Tue, 3 Aug 2010 08:09:44 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754099Ab0HBWJh (ORCPT ); Mon, 2 Aug 2010 18:09:37 -0400 Received: from suva.vyatta.com ([76.74.103.44]:58089 "EHLO suva.vyatta.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750959Ab0HBWJg (ORCPT ); Mon, 2 Aug 2010 18:09:36 -0400 X-Greylist: delayed 443 seconds by postgrey-1.27 at vger.kernel.org; Mon, 02 Aug 2010 18:09:36 EDT Received: from suva.vyatta.com (suva [127.0.0.1]) by suva.vyatta.com (8.13.7/8.13.7) with ESMTP id o72M2Bgc011541; Mon, 2 Aug 2010 15:02:11 -0700 Received: (from shemminger@localhost) by suva.vyatta.com (8.13.7/8.13.7/Submit) id o72M2BDA011540; Mon, 2 Aug 2010 15:02:11 -0700 Message-Id: <20100802220113.557212477@vyatta.com> User-Agent: quilt/0.48-1 Date: Mon, 02 Aug 2010 15:00:31 -0700 From: Stephen Hemminger To: David Miller Cc: netdev@vger.kernel.org Subject: [PATCH 1/4] net: check for reference outside of skb References: <20100802220030.991706005@vyatta.com> Content-Disposition: inline; filename=u32-header-pointer.patch Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org It is legitimate for callers of skb_header_pointer to pass a negative offset, but the resulting pointer should not go outside the valid range of data in the skb. Signed-off-by: Stephen Hemminger --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html --- a/include/linux/skbuff.h 2010-08-01 09:23:01.635121262 -0700 +++ b/include/linux/skbuff.h 2010-08-01 09:25:27.453901530 -0700 @@ -1853,6 +1853,9 @@ static inline void *skb_header_pointer(c { int hlen = skb_headlen(skb); + if (hlen + offset < 0) + return NULL; + if (hlen - offset >= len) return skb->data + offset;